TYPO3 Formhandler is an extension to build and handle forms on TYPO3websites.

More Details============

TYPO3 Formhandler can validate form data and create a pre-filled formwith previous values and error messages, if the data does not comply.It uses input sanitisation and output encoding as an approach to preventXSS when embedding the values in the resulting web page. Inputsanitisation happens in the function "sanitizeValues()" defined inClasses/Interceptor/RemoveXSS.php line 62ff.[0]:

Another value that TYPO3 Formhandler uses in forms is a so-called randomID, that is also obtained from a URL or POST parameter. In combination,both parameters allow to bypass the removeXSS() function as well andallow XSS.

Proof of Concept================

The proof-of-concept URLs are created for the basic file upload exampleprovided by the TYPO3 Formhandler documentation page [3]. The examplesset the random ID parameter to a value containing the place holder###auth_code### that contains an additional attack vector. For theattack vector to be included, the URLs need to be called twice. Thesecond request needs to include the PHP session cookie that was set inresponse to the first request.

In the first example, the auth code bypasses the input sanitisation byusing the placeholder ####### that renders to the empty string:

"><scr######ipt>alert("RedTeam+Pentesting")</script>

In the second example, the XSS code is split between the random ID andthe auth code. The auth code is:

"><img src=x on

And the random ID is:

###auth_code###error='alert(/RedTeam Pentesting/.source)'

The third example uses the known bypass for the removeXSS() function bysetting the auth code to:

A possible workaround might be to patch Classes/View/Form.php to applyhtmlspecialchars() before storing the auth code value for the respectivemarker. An unofficial patch from the vendor is available at:https://github.com/pluspol-interactive/typo3-formhandler/pull/1

Fix===

None, since the project is no longer maintained.

Security Risk=============

Attackers can use the vulnerability to execute arbitrary JavaScript onthe target system. Depending on the site it can be used to use andmonitory the session of users, present phishing forms or harm the site'sreputation with false information. Attackers need to get people to openthe respective URLs twice for this attack to work and therefore can onlytarget individual users. All in all this is considered to be amedium-risk vulnerability. Depending on the affected site the risk needsto be adjusted accordingly.

Timeline========2016-09-22 Vulnerability identified2016-10-07 Customer approved disclosure to vendor2016-10-07 Vendor notified2016-10-11 Preliminary advisory sent to vendor2016-10-12 Vendor prepared patch and sent it to TYPO3 security team2016-10-13 Customer needs time to test the patch and deploy it2017-07-10 Customer finished testing and deployment of patch2017-07-17 Vendor agreed to have patch published as PR on Github2017-07-27 Vendor patch published as pull request for a possibly active fork2017-07-27 Advisory released

As there are only few experts in this field, RedTeam Pentesting wants toshare its knowledge and enhance the public knowledge with research insecurity-related areas. The results are made available as publicsecurity advisories.

More information about RedTeam Pentesting can be found at:https://www.redteam-pentesting.de/

Working at RedTeam Pentesting=============================

RedTeam Pentesting is looking for penetration testers to join our teamin Aachen, Germany. If you are interested please visit:https://www.redteam-pentesting.de/jobs/